At a Glance
On June 11, 2026, Coinbase's Independent Advisory Board on Quantum Computing and Blockchain put a hard number on the quantum threat to Bitcoin. Roughly 7 million BTC, about a third of the supply, are exposed to a future quantum attack because their public keys are already visible on-chain, through legacy address formats and address reuse.
No quantum computer can break that cryptography today, and none is close. The exposure is permanent, though. A public key, once revealed, cannot be hidden again, so the clock is running even though the attack itself is years away.
Institutions need to find out which of their holdings are already exposed, decide the order in which to migrate them, and put signing systems in place that support post-quantum signatures before the threat arrives.
How Many Bitcoin Are Vulnerable to Quantum Computers?
Roughly 7 million BTC, about a third of circulating supply. The figure comes from the advisory board's June 2026 report and counts two categories: coins in legacy address formats where the public key sits exposed on-chain, and coins made vulnerable by address reuse.
The directly exposed coins are the larger worry. About 1.7 million BTC sit in old pay-to-public-key (P2PK) addresses with the public key fully visible. Many are believed to be Satoshi's coins, or funds whose owners lost their keys years ago.
Every Bitcoin address is locked by a private key, and that key has a matching public key. A quantum computer running Shor's algorithm could derive the private key from any exposed public key. So a coin stays protected only while its public key stays hidden, which lasts until the owner first spends from the address. After that, nothing stands between the coin and an attacker except the absence of a capable machine.
No one can say with confidence how long that absence will last. Coinbase assembled the council in January 2026 to confront exactly that uncertainty, drawing researchers from Stanford University, the University of Texas at Austin, the Ethereum Foundation, Eigen Labs, Bar-Ilan University, and UC Santa Barbara.
Their position is that the uncertainty itself is the reason to move: "No quantum computer can break blockchain cryptography right now," the report states, "but timelines are uncertain, and the crypto community needs to start preparing now rather than debating exactly when the threat will arrive."
Why the Resource Estimates Keep Falling
No machine capable of the attack exists. The published cost of building one keeps dropping anyway.
In a March 2026 whitepaper, Google Quantum AI estimated that solving the elliptic curve discrete logarithm problem on secp256k1, the curve securing both Bitcoin and Ethereum signatures, would take fewer than 1,200 logical qubits and 90 million Toffoli gates. Mapped onto a superconducting surface-code architecture at a physical error rate of 10⁻³, that works out to fewer than 500,000 physical qubits.
Google frames the result as roughly an order of magnitude fewer resources than its own prior estimate, with the physical-qubit count down about twentyfold.
The largest systems in operation today hold less than one percent of that capacity, and the paper is careful to present a cost estimate rather than a timeline. But algorithmic improvements compound with hardware progress, and the hardware has been making progress.
IBM committed more than $10 billion to deliver Starling, the first large-scale fault-tolerant system it has promised, in 2029. A promise on that scale rests on error rates coming down, and they are coming down fast with Microsoft and Quantinuum reporting an 800-fold reduction in error rates on trapped-ion hardware, peer-reviewed in Nature on June 10, 2026.
That is why the field now measures progress in error-corrected reliability rather than raw qubit counts. Breaking a key takes tens of millions of operations in sequence, and only a machine with error rates low enough to finish a computation that long can attempt it.
That progress now comes with dates attached. Hardware makers have committed to delivery targets, and NIST has set deadlines for retiring the vulnerable algorithms.
| Date | Milestone | Source |
| August 2024 | NIST finalizes FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA) | NIST |
| 2028 | QuEra targets Libra, its first fault-tolerant quantum computer, on Amazon Braket | QuEra |
| 2029 | IBM targets Starling, first large-scale fault-tolerant system | IBM |
| 2030 | NIST deprecates quantum-vulnerable algorithms (ECDSA, RSA) | NIST IR 8547 |
| 2035 | NIST disallows quantum-vulnerable algorithms entirely | NIST IR 8547 |
On the question of when a cryptographically relevant quantum computer actually arrives, the most recent public model stays cautious. The June 2026 Quantum Horizon paper runs a Monte Carlo forecast over hardware scaling, the falling resource requirement, and expert surveys. It puts the probability of such a machine by 2035 well below 50 percent, rising materially over the following decade.
A capable machine may be a decade or more away. Migration and governance can take years on their own, which is why the time to prepare is shorter than the headline dates suggest.
What Happens to BTC That Never Migrates?
The council calls this one of the most contentious questions facing the industry, and it is a governance question rather than a cryptographic one.
The report outlines three positions and stresses that they are not mutually exclusive: "There is no reason to not adopt more than one or all of them, since each has its own advantages."
| Option | Mechanism | Trade-off |
| Freeze or burn | Vulnerable coins become unusable after a deadline | Protects the network; overrides property rights of absent owners |
| Do nothing | Users decide individually; laggards bear the risk | Preserves Bitcoin's principles; leaves millions of coins claimable by the first capable attacker |
| Middle ground | Per-block movement limits on vulnerable coins; acceptance of special cryptographic proofs in place of legacy signatures; private pre-commitment to migration | Softens both extremes; adds protocol complexity |
The council is blunt about the cost of the most aggressive path. Forcing coins to be burned, it warns, "overrides property rights and sets a precedent for network-level interference that conflicts with Bitcoin's core principles."
The unowned coins are the hardest case. An attacker who derives Satoshi-era keys does no protocol-level damage, since the theft is indistinguishable from a legitimate spend. The harm is monetary and reputational instead. It would look like a sudden supply shock from coins the market had priced as lost, and a public demonstration that the base cryptography has failed.
Migration Roadmaps Are Becoming Published Schedules
The Ethereum Foundation has formed a dedicated post-quantum team, and Vitalik Buterin published a quantum upgrade roadmap earlier in 2026, and a more recent one in early July 2026. Smaller networks are publishing dates as well.
On June 9, the Stellar Development Foundation unveiled its Quantum Preparedness Plan, a three-stage roadmap that introduces ML-DSA signature verification in 2026 and lets accounts add a quantum-safe signer without changing their address or history. Stellar is a fraction of Bitcoin's size and has committed to specific dates, while Bitcoin developers are still debating migration mechanics in proposals such as BIP-360.
The destination cryptography is already standardized. NIST's FIPS 204 specifies ML-DSA, the lattice-based signature scheme that replaces elliptic-curve signatures in the post-quantum era, while FIPS 203 covers key encapsulation and FIPS 205 covers hash-based signatures.
The remaining work involves institutions inventorying their exposure, sequencing migration, and building signing infrastructure that supports post-quantum approvals without abandoning the chains they already run on. Most migration plans underweight that last requirement.
Custodians settle transactions around the clock and hold assets on many chains at once. They cannot take operations offline while one chain upgrades its cryptography, and they cannot leave assets unprotected while they wait years for every network to complete its own migration.
The signing stack has to verify post-quantum signatures alongside current EVM infrastructure, with no migration event and no break in operations.
Coinbase's advisory board makes the same case for starting early. A spokesperson put it plainly in the report: "The right time to prepare for a cryptographic transition is before it becomes urgent. Our view is that customer assets are safe today, but the industry should not confuse 'not imminent' with 'not important.'"
Key Questions
Can a quantum computer steal Bitcoin today? No. The largest experimental systems remain orders of magnitude below the fewer than 500,000 physical qubits the best current estimate requires, so the risk is forward-dated. Harvest-now-forge-later collection, though, already makes exposed keys a liability today.
What is a quantum-vulnerable address? Any address whose public key is visible on-chain. That includes pay-to-public-key outputs from Bitcoin's early years, and any address reused after spending, since the act of spending reveals the public key.
What is harvest now, forge later? An adversary records exposed public keys today and waits for a quantum computer capable of breaking them. Exposed keys on a blockchain cannot be re-hidden, so for those 7 million BTC the harvest is already complete.
When will NIST retire ECDSA? NIST IR 8547 deprecates ECDSA and RSA after 2030 and disallows them entirely after 2035. Institutions planning under federal guidance should treat 2030 as the working deprecation horizon.
The Bottom Line
The exposed-Bitcoin estimate is now public, sourced, and large. Seven million BTC sit behind cryptography with a published expiration window, and the only real variable is how early their owners act. Institutions that begin their inventory and migration planning in 2026 are early, and early is the cheapest position to hold.

